Fileless Attacks Ten Times More Likely to Succeed: Report

A new report from the Ponemon Institute confirms, but quantifies, what most people know: protecting endpoints is becoming more difficult, more complex and more time-consuming -- but not necessarily more successful.

Commissioned by endpoint protection firm Barkly, the report (PDF) confirms that defenders are increasingly moving away from primarily signature-based malware detection by replacing or supplementing existing defenses with additional protection or response capabilities. One third of respondents have replaced their existing AV product, while half of the respondents have retained their existing product but supplemented them with additional protections.

To combat both old and new defenses, attackers are responding with a new attack methodology -- the fileless attack. Ponemon notes that 29% of attacks in 2017 have been fileless. This is up from 20% in 2016, and is expected to increase to 35% in 2018.

The fileless attack does not install detectable files. These attacks, says Ponemon, "instead leverage exploits designed to run malicious code or launch scripts directly from memory, infecting endpoints without leaving easily-discoverable artifacts behind. Once an endpoint has been compromised, these attacks can also abuse legitimate system administration tools and processes to gain persistence, elevate privileges, and spread laterally across the network."

According to Ponemon, 54% of companies have experienced one or more successful attacks that have compromised data and/or infrastructure, while 77% of those attacks used exploits or fileless attacks. While the attack methodology has changed, the ultimate goal of the attacker has not. Ransomware, for example, remains a major problem. Half of the surveyed organizations have suffered a ransomware incident in 2017, while 40% of those have experienced multiple incidents. The average ransomware demand is now $3,675.

The implication from these figures is that bad guys can adapt to new security faster than good guys can adapt to new attacks. Barkly's CTO Jack Danahy doesn't believe that this is inevitable. "For us," he told SecurityWeek, "the problem is behavioral." Since the bad guys will always get better at obfuscating what they are doing, plus the reality that they have equal access to the technologies that the good guys use, "you know that they are going to look for ways to get around the entire class of defense."

Fileless attacks are the bad guys' response to traditional machine learning. When you look at the two bodies of technology, the older and the newer endpoint protection products, there's a common factor -- they are all file-based. They both still need a file to look at. This is what led to the development of fileless attacks. "We knew right from the beginning that we had to concentrate on stopping attacks because of their behavior, not because of any malware files they use. We had to find a way," he explained, "to identify really low-level, really early behaviors that are representative of when malware is trying to set itself up, before it can do any corrupting activity."

To do this, Barkly developed a system that would examine both good behaviors and bad behaviors, and to be able to 'disambiguate' the two. "This is opposed to the standard method of looking for changes that have already happened or specific attributes of existing files in order to know that something bad is happening. That's too late," he said.

The end result is a SaaS product that updates its ability to differentiate between good and bad behavior on a daily basis -- using Barkly's own 'responsive machine-learning' (a combination of both supervised and unsupervised machine learning). "It's like a factory of bad behaviors and a factory of good behaviors, with machine learning to disambiguate the two," he said.

Users do not have a high opinion of most existing endpoint products, notes the Ponemon report. The average organization has seven different software agents on its endpoints to manage security, making it 'noisy and time-consuming'. Perhaps because of the growing number of products, 73% of organizations say it is getting more difficult to manage endpoint security, and two-thirds do not have the resources to do so adequately.

The biggest problem with most current solutions, according to the Ponemon study, is that they do not provide adequate protection. Danahy is not surprised. "You cannot claim to do endpoint protection unless you can stop both file-based and fileless attacks before they get through and harm the client. A fileless attack is ten times more likely to succeed than a file-based attack."

According to the study, the total cost of a successful attack is now over $5 million. The 'cost of a breach' is a contentious subject because of the variables concerned. Ponemon is known to take great care over its conclusions, but Danahy agrees it's a difficult concept. "That's why," he told SecurityWeek, "I insisted on the 'average cost per employee' being included." This figure stands at $301. It makes it easier for smaller firms to realistically consider the likely cost to themselves.

Ponemon's conclusion from the study is that organizations would "benefit from endpoint security solutions designed to block new threats like fileless attacks, which are responsible for the majority of today's endpoint compromises. To restore their faith in endpoint security's effectiveness, new solutions need to address this crucial gap in protection without adding unnecessary complexity to endpoint management."

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.